Configuration item | Sample value | ||
Network | VPC information | Subnet CIDR block | 10.1.1.0/24 |
| | Public IP of the VPN gateway | 159.xx.xx.242 |
| IDC information | Private CIDR block | 172.16.0.0/16 |
| | Public IP of the gateway | 120.xx.xx.76 |
IPsec VPN connection | IKE | Version | IKEV1 |
| | Identity verification method | Pre-shared key |
| | PSK | tencent@123 |
| | Encryption agorithm | AES-128 |
| | Authentication algorithm | MD5 |
| | Negotiation mode | main |
| | Local ID | IP address: 120.xx.xx.76 |
| | Remote ID | IP address: 159.xx.xx.242 |
| | DH group | DH2 |
| | IKE SA lifetime | 86400 |
| IPsec | Encryption algorithm | AES-128 |
| | Authentication algorithm | MD5 |
| | Packet encapsulation mode | Tunnel |
| | Security protocol | ESP |
| | PFS | disable |
| | IPsec SA lifetime (in seconds) | 3600 s |
| | IPsec SA lifetime (in KB) | 1843200 KB |
Firewall | Interface | Nameif | outside |
ssh -p admin@10.XX.XX.56# Use the SSH command to log in to the configuration interface of the firewall.User Access VerificationUsername: adminPassword: ********Type help or '?' for a list of available commands.# Enter the username and password to enter the user mode.ASA>ASA> enPassword:# Input “enable” and its password to enter the privileged EXEC mode in which you can view information only.ASA# conf tASA(config)## Input "config ter" to enter the global mode in which you can configure the firewall.
interface GigabitEthernet0/0nameif outside # Specify the security domain of the interface.security-level 0 # Specify the security domain level of the interface.ip address 120.XX.XX.76 255.255.255.252 # Configure the local public IP address of the VPN tunnel.
crypto ikev1 enable outside # Enable IKE on the "outside" interface.crypto ikev1 policy 10 # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.authentication pre-share # Set the authentication method to authentication via pre-shared keys.encryption AES-128 # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".hash MD5 # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".lifetime 86400 # Specify the SA lifetime. It defaults to "86400" seconds.
tunnel-group 159.XX.XX.242 type ipsec-l2l # Create a point-to-point IPsec tunnel group.tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.ikev1 pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0 # Configure ACL to capture the data stream of the VPN tunnel.
crypto map CMAP 1 match address INTERESTING # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.crypto map CMAP 1 set peer 159.XX.XX.242 # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.crypto map CMAP 1 set ikev1 transform-set TS # Configure an IKEv1 protocol for the crypto map entry.crypto map CMAP 1 set security-association lifetime seconds 3600 # Configure a SA lifetime.
rypto map CMAP interface outside # Apply the crypto map configured in the previous step to the "outside" interface.
route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1 # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
ping
command to test the VPN connectivity.ssh -p admin@10.XX.XX.56# Use the SSH command to log in to the configuration interface of the firewall.User Access VerificationUsername: adminPassword: ********Type help or '?' for a list of available commands.# Enter the username and password to enter the user mode.ASA>ASA> enPassword:# Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.ASA# conf tASA(config)## Input "config ter" to enter the global mode in which you can configure the firewall.
interface GigabitEthernet0/0nameif outside # Specify the security domain of the interface.security-level 0 # Specify the security domain level of the interface.ip address 120.XX.XX.76 255.255.255.252 # Configure the local public IP address of the VPN tunnel.
crypto ikev1 policy 10 # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.authentication pre-share # Set the authentication method to authentication via pre-shared keys.encryption AES-128 # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".hash MD5 # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".lifetime 86400 # Specify the SA lifetime. It defaults to "86400" seconds.
tunnel-group 159.XX.XX.242 type ipsec-l2l # Create a point-to-point IPsec tunnel group.tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.ikev1 pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
crypto ipsec profile PROFILE1set ikev1 transform-set TS # Specify an IKEv1 IPSec proposal policy for the crypto map entry.set security-association lifetime kilobytes 1843200 # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime.set security-association lifetime seconds 3600 # Set the SA lifetime. The default value is 4,608,000 kilobytes or 28,800 seconds.
interface Tunnel100tunnel source interface outside # Configure the source VPN that comes from the "outside" interface.tunnel destination 159.XX.XX.242 # Configure the public IP address of the destination VPN. The public IP address of Tencent Cloud VPN is used here.tunnel mode ipsec ipv4 # Configure the protocol for the tunnel interface.tunnel protection ipsec profile PROFILE1 # Use the IPsec policy to protect data passing through the tunnel interface.
route vti 10.1.1.0 255.255.255.0 159.XX.XX.242 # Route the packets to be encrypted and protected to the tunnel interface.
ping
command to test the VPN connectivity.ssh -p admin@10.XX.XX.56# Use the SSH command to log in to the configuration interface of the firewall.User Access VerificationUsername: adminPassword: ********Type help or '?' for a list of available commands.# Enter the username and password to enter the user mode.ASA>ASA> enPassword:# Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.ASA# conf tASA(config)## Input "config ter" to enter the global mode in which you can configure the firewall.
interface GigabitEthernet0/0nameif outside # Specify the security domain of the interface.security-level 0 # Specify the security domain level of the interface.ip address 120.XX.XX.76 255.255.255.252 # Configure the local public IP address of the VPN tunnel.
crypto ikev2 enable outside # Enable IKEv2 on the "outside" interface.crypto ikev1 policy 10 # Define the phase 1 negotiation policy for IKEv2. Enter a number between 1-65535. The smaller the number, the higher the priority. This document uses 10.authentication pre-share # Set the authentication method to authentication via pre-shared keys.encryption AES-128 # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".integrity MD5 # # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".prf sha # Set the encryption algorithm.lifetime seconds 86400 # Set the SA lifetime. It defaults to 86400s.
group-policy group_policy internal # Set a group policy for devices.group-policy group_policy attributes # Set the group policy attributes.vpn-tunnel-protocol ikev2 # Set IKEv2 protocol for vpn-tunnel.
tunnel-group 159.XX.XX.242 type ipsec-l2l # Create a point-to-point IPsec tunnel group.tunnel-group 159.XX.XX.242 general-attributes default-group-policy group_policy # Apply the group policy defined in the previous step.tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.ikev2 remote-authentication pre-shared-key tencent@123ikev2 local-authentication pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
crypto ipsec ikev2 ipsec-proposal ikev2_proposal # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.protocol esp encryption aes-128 # Configure an encryption algorithm.protocol esp integrity sha-1 # Configure an integrity checking algorithm.
access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0 # Configure ACL to capture the data stream of the VPN tunnel.
crypto map CMAP 1 match address INTERESTING # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.crypto map CMAP 1 set peer 159.XX.XX.242 # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.crypto map CMAP 1 set ikev2 ipsec-proposal ikev2_proposal # Configure an IKEv2 protocol for the crypto map entry.crypto map CMAP 1 set security-association lifetime seconds 3600 # Configure a SA lifetime.crypto map CMAP 1 set security-association lifetime kilobytes 1843200 # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime. The default value is 4,608,000 kilobytes, and the default SA lifetime is 28,800 seconds.
rypto map CMAP interface outside # Apply the crypto map configured in the previous step to the "outside" interface.
route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1 # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
ping
command to test the VPN connectivity.ssh -p admin@10.XX.XX.56# Use the SSH command to log in to the configuration interface of the firewall.User Access VerificationUsername: adminPassword: ********Type help or '?' for a list of available commands.# Enter the username and password to enter the user mode.ASA>ASA> enPassword:# Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.ASA# conf tASA(config)## Input "config ter" to enter the global mode in which you can configure the firewall.
interface GigabitEthernet0/0nameif outside # Specify the security domain of the interface.security-level 0 # Specify the security domain level of the interface.ip address 120.XX.XX.76 255.255.255.252 # Configure the public IP address of the Tencent Cloud VPN to connect.interface Tunnel100nameif vtiip address 172.XX.XX.2 255.255.255.0 # Set an IP address to activate the tunnel interface.
crypto ikev2 policy 1 # Define the phase 1 negotiation policy for IKEv2. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 1 is used here.encryption AES-128 # Set "AES-128" as the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".integrity MD5 /# Set the hash algorithm to “MD5” for the IKE policy. It defaults to “SHA”.group 2 # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".prf sha # Configure the encryption algorithm.lifetime seconds 86400 # Configure the SA lifetime (namely, lifecycle). It defaults to 86400s.
group-policy group_policy internal # Set a group policy for devices.group-policy group_policy attributes # Set the group policy attributes.vpn-tunnel-protocol ikev2 # Set IKEv2 protocol for vpn-tunnel.
tunnel-group 159.XX.XX.242 type ipsec-l2l # Create a point-to-point IPsec tunnel group.tunnel-group 159.XX.XX.242 general-attributes default-group-policy group_policy # Apply the group policy defined in the previous step.tunnel-group 159.XX.XX.242 ipsec-attributes # Configure the tunnel group attributes, and specify the pre-shared key.ikev2 remote-authentication pre-shared-key tencent@123ikev2 local-authentication pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
crypto ipsec ikev2 ipsec-proposal ikev2_proposal # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.protocol esp encryption aes-128 # Specify an encryption algorithm.protocol esp integrity sha-1 # Specify an integrity checking algorithm.
crypto ipsec profile PROFILE1set ikev2 ipsec-proposal ikev2_proposal # Configure an IKEv2 protocol for the crypto map entry.set security-association lifetime kilobytes 1843200 # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime.set security-association lifetime seconds 3600 # Set the SA lifetime. The default value is 4,608,000 kilobytes or 28,800 seconds.
interface Tunnel100tunnel source interface outside # Configure the source VPN that comes from the "outside" interface.tunnel destination 159.XX.XX.242 # Configure the public IP address of the destination VPN. The public IP address of Tencent Cloud VPN is used here.tunnel mode ipsec ipv4 # Configure the protocol for the tunnel interface.tunnel protection ipsec profile PROFILE1 # Use the IPsec policy to protect data passing through the tunnel interface.
route vti 10.1.1.0 255.255.255.0 159.XX.XX.242 # Route the packets to be encrypted and protected to the tunnel interface.
ping
command to test the VPN connectivity.
Was this page helpful?